Why you can't trust your USB thumb drive

Think your handy, portable storage device is safe? Think again.

As confirmation of just how vulnerable we all are to computer malware, two researchers presenting at this week’s Black Hat hacking conference in Las Vegas will demonstrate that we can no longer trust the ubiquitous USB thumb drive. Karsten Nohl and Jakob Lell from security consultancy SR Labs will demonstrate how they have put undetectable malware onto a USB drive which, when plugged into a computer, can do a variety of bad things. In one case, they will show how the thumb drive can act as if it were a keyboard, and issue commands to download and install malicious files onto the computer. In another example, they will show how the USB drive can be converted into a network drive and hijack internet traffic from the computer.

The idea of malware-infected USB thumb drives is not new. In fact, one study has shown that around 26 per cent of Windows infections are as a result of infected USB drives. The difference here however is that the malware is not carried on the drive where it is detectable by anti-virus software.

Software that drives USB drives

Most computer users won’t be aware that USB drives are tiny computers in their own right. There is software (called firmware) that controls the USB drive and is responsible for transmitting and receiving data from the computer when asked. Nohl and Lell have shown that it is possible to replace this firmware with code that can do a range of things like pretending to be a USB keyboard or network card. The difficulty with detecting problematic firmware is that a computer has no way of directly scanning the firmware without the firmware knowing.

Is it really that new a threat?

It is possible that this type of exploit is not actually that new and certainly security agencies like the NSA have been aware of the possibilities for some time. In the Snowden documents, a product called Cottonmouth involved a modified USB cable that could infect computers and act as a wireless bridge to further surveillance systems. There are versions of Cottonmouth that don’t need modified hardware.

On a more prosaic level, other scammers have exploited an element of this before with so-called 'Fake Flash Drives'. These are USB drives that have been modified so that they appear to the computer as bigger drives than they actually are. Something appearing to be a 16GB flash drive is actually an 8GB drive and the computer will happily try to store files on space on the device that doesn’t exist. These scammers are rife on eBay even today.

What does this mean for using USB drives?

What this all means is that there really is no way of knowing whether to trust a USB drive not having been infected. USB drive manufacturers could implement measures to try to protect against this type of tampering. The code could be cryptographically signed, effectively adding a manufacturer’s signature that computers could check before trusting a device. Given the importance of preserving what is an enormous market -- approximately $2.5 billion worth of USB drives are sold globally each year -- it would be in manufacturers’ interests to provide more security around these devices.

In the meantime, it is worth being careful with USB drives. It is always the case that you should never use drives that you have found or even been handed out for free at conferences or other events. If you decide to share a USB drive with colleagues or friends, then it may actually be worth letting them keep the drive. Of course, they would need to trust you in turn, but given that you at least know of the problem now, you will be that little bit better prepared.

David Glance does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.

IMPORTANT: This information has been prepared without taking into account your objectives, financial situation or needs and you should consider if the information is appropriate for you before making an investment decision. Unless otherwise specifically stated or disclosed (such as the InvestSMART Diversified Portfolios Product Disclosure Statement), neither InvestSMART Financial Services Pty Ltd nor any of its Related Companies make any recommendations as to the merits of any investment opportunity referred to in its emails or its related websites. Product disclosure statements for financial products offered through InvestSMART can be downloaded from this website or obtained by contacting 1300 880 160. You should consider the product disclosure statement before making a decision about the product. All indications of performance returns are historical and can not be relied upon as an indicator for future performance.